Can a CSRF CAPTCHA be defeated?+1 for the answer and bonus Synchronizer token info. Nice. Unfortunately, Synchnronizer token is more beatable than a CAPTCHA. All the attacker has to do is automate all the steps along the way using JavaScript.